News

North Korean Ransomware Maui Attacks Healthcare Companies

This week, the FBI, CISA, and the US Treasury issued a joint warning about the Maui ransomware that North Korean hackers use. According to experts, the malware purposefully attacks medical organizations and public health.

The warning states that since May 2021, hackers have been using the Maui ransomware to deliberately disrupt various healthcare services, including diagnostics, electronic health records, data visualization, and service intranets. At the same time, the initial point of penetration into the networks of the affected organizations is unknown.

Let me remind you that we also wrote that Cybercriminals attacked the UHS healthcare network, and also that Data of 2 million Patients Leaked Due to Hack Shields Health Care Group.

According to Stairwell analysts, whose research was the basis for the warning issued by the authorities, the deployment of Maui in the networks of the victims is manual, and the malware operators target certain files that they want to encrypt.

In addition, Maui does not leave any ransom messages or data recovery instructions on encrypted machines.

Maui stood out to us because of a lack of several key features we commonly see with tooling from RaaS providers, such as an embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers. Instead, we believe that Maui is manually operated, in which operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artifacts. There are many aspects to Maui ransomware that are unknown, including usage context.Stairwell specialists write.

Maui uses a combination of AES, RSA and XOR for the encryption process: files are encrypted with AES using a unique key, which is then encrypted with the RSA key pair generated when the malware is first run, and then the RSA public key is encrypted using another hardcoded public key R.S.A.

US officials believe that this campaign is based on the willingness of medical institutions to pay a ransom, as they need to quickly recover from an attack and ensure uninterrupted access to critical data and services, because people’s lives and health depend on them.

The FBI, CISA, and Treasury highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.American authorities recommend.
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button